[Bug middle-end/50460] [4.7 Regression] __builtin___strcpy_chk/__builtin_object_size don't work
jakub at gcc dot gnu.org
gcc-bugzilla@gcc.gnu.org
Tue Sep 20 10:49:00 GMT 2011
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=50460
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jakub at gcc dot gnu.org
Target Milestone|--- |4.7.0
--- Comment #1 from Jakub Jelinek <jakub at gcc dot gnu.org> 2011-09-20 09:59:49 UTC ---
Seems to be caused by PR48571, we throw away the important info (that the
access was through a.buf1 rather than &a), which is essential for
-D_FORTIFY_SOURCE=2.
The change happens already during gimplification:
- strcpy (&a.buf1[4], D.2732);
+ strcpy (&MEM[(void *)&a + 4B], D.2732);
while in *.original it was
strcpy ((char *) &a.buf1 + 4, str1 + 5);
Not reconstrucing the array ref is fine, but before *.objsz pass we really
shouldn't throw away the buf1 from it, so it should be tmp = &a.buf1 + 4;
-D_FORTIFY_SOURCE=2 cares whether the user wrote
strcpy ((char *) &a + 4, ...); (in which case it allows to overwrite the
whole object) or strcpy ((char *) &a.buf1 + 4, ...); (in which case it is
allowed to overwrite just the buf1 field).
Richard, can you please have a look at this?
More information about the Gcc-bugs
mailing list